SecurityPkg: Update VariableAuthenticated driver with following changes:

1. Remove memory allocation code in runtime.
2. Exclude NULL terminator in VariableName for serialization data in time-based variable authentication.
3. Add support for enroll PK with WRITE_ACCESS attribute.
4. Initialize SetupMode variable with correct NV attribute.
5. Add support for APPEND_WRITE attribute for non-existing Variable.
6. Clear KEK, DB and DBX as well as PK when user request to clear platform keys.
7. Check duplicated EFI_SIGNATURE_DATA for Variable formatted as EFI_SIGNATURE_LIST when APPEND_WRITE attribute is set.
8. Not change SecureBoot Variable in runtime, only update it in boot time since this Variable indicates firmware operating mode.
9. Save time stamp of PK when PK is set with TIME_BASED_WRITE_ACCESS attribute in setup mode.
10. Update to use PcdMaxVariableSize instead of PcdMaxAppendVariableSize for append operation.

Signed-off-by: xdu2
Reviewed-by: tye

git-svn-id: https://edk2.svn.sourceforge.net/svnroot/edk2/trunk/edk2@12599 6f19259b-4bc3-4df7-8a09-765794883524

1 files changed, 59 insertions, 15 deletions

diff --git a/SecurityPkg/VariableAuthenticated/RuntimeDxe/AuthService.h b/SecurityPkg/VariableAuthenticated/RuntimeDxe/AuthService.h
index 6b0db74c81..54e2ac0a43 100644
--- a/SecurityPkg/VariableAuthenticated/RuntimeDxe/AuthService.h
+++ b/SecurityPkg/VariableAuthenticated/RuntimeDxe/AuthService.h
@@ -3,12 +3,12 @@
   internal structure and functions used by AuthService module.

 

 Copyright (c) 2009 - 2011, Intel Corporation. All rights reserved.<BR>

-This program and the accompanying materials 

-are licensed and made available under the terms and conditions of the BSD License 

-which accompanies this distribution.  The full text of the license may be found at 

+This program and the accompanying materials

+are licensed and made available under the terms and conditions of the BSD License

+which accompanies this distribution.  The full text of the license may be found at

 http://opensource.org/licenses/bsd-license.php

 

-THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS, 

+THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,

 WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.

 

 **/

@@ -20,9 +20,17 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
 #define EFI_CERT_TYPE_RSA2048_SIZE        256

 

 ///

-/// Size of AuthInfo prior to the data payload

+/// Size of AuthInfo prior to the data payload.

 ///

-#define AUTHINFO_SIZE (((UINTN)(((EFI_VARIABLE_AUTHENTICATION *) 0)->AuthInfo.CertData)) + sizeof (EFI_CERT_BLOCK_RSA_2048_SHA256))

+#define AUTHINFO_SIZE ((OFFSET_OF (EFI_VARIABLE_AUTHENTICATION, AuthInfo)) + \

+                       (OFFSET_OF (WIN_CERTIFICATE_UEFI_GUID, CertData)) + \

+                       sizeof (EFI_CERT_BLOCK_RSA_2048_SHA256))

+

+#define AUTHINFO2_SIZE(VarAuth2) ((OFFSET_OF (EFI_VARIABLE_AUTHENTICATION_2, AuthInfo)) + \

+                                  (UINTN) ((EFI_VARIABLE_AUTHENTICATION_2 *) (VarAuth2))->AuthInfo.Hdr.dwLength)

+

+#define OFFSET_OF_AUTHINFO2_CERT_DATA ((OFFSET_OF (EFI_VARIABLE_AUTHENTICATION_2, AuthInfo)) + \

+                                       (OFFSET_OF (WIN_CERTIFICATE_UEFI_GUID, CertData)))

 

 ///

 /// "AuthVarKeyDatabase" variable for the Public Key store.

@@ -58,8 +66,8 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
   @return EFI_WRITE_PROTECTED             Variable is write-protected and needs authentication with

                                           EFI_VARIABLE_AUTHENTICATED_WRITE_ACCESS set.

   @return EFI_SECURITY_VIOLATION          The variable is with EFI_VARIABLE_AUTHENTICATED_WRITE_ACCESS

-                                          set, but the AuthInfo does NOT pass the validation 

-                                          check carried out by the firmware. 

+                                          set, but the AuthInfo does NOT pass the validation

+                                          check carried out by the firmware.

   @return EFI_SUCCESS                     Variable is not write-protected, or passed validation successfully.

 

 **/

@@ -74,6 +82,20 @@ ProcessVariable (
   );

 

 /**

+  Update platform mode.

+

+  @param[in]      Mode                    SETUP_MODE or USER_MODE.

+

+  @return EFI_INVALID_PARAMETER           Invalid parameter.

+  @return EFI_SUCCESS                     Update platform mode successfully.

+

+**/

+EFI_STATUS

+UpdatePlatformMode (

+  IN  UINT32                    Mode

+  );

+

+/**

   Initializes for authenticated varibale service.

 

   @retval EFI_SUCCESS           Function successfully executed.

@@ -107,8 +129,8 @@ CryptLibraryInitialize (
   @param[in]  IsPk                        Indicate whether it is to process pk.

 

   @return EFI_INVALID_PARAMETER           Invalid parameter

-  @return EFI_SECURITY_VIOLATION          The variable does NOT pass the validation 

-                                          check carried out by the firmware. 

+  @return EFI_SECURITY_VIOLATION          The variable does NOT pass the validation

+                                          check carried out by the firmware.

   @return EFI_SUCCESS                     Variable passed validation successfully.

 

 **/

@@ -135,8 +157,8 @@ ProcessVarWithPk (
   @param[in]  Attributes                  Attribute value of the variable.

 

   @return EFI_INVALID_PARAMETER           Invalid parameter.

-  @return EFI_SECURITY_VIOLATION          The variable does NOT pass the validation 

-                                          check carried out by the firmware. 

+  @return EFI_SECURITY_VIOLATION          The variable does NOT pass the validation

+                                          check carried out by the firmware.

   @return EFI_SUCCESS                     Variable passed validation successfully.

 

 **/

@@ -151,6 +173,27 @@ ProcessVarWithKek (
   );

 

 /**

+  Merge two buffers which formatted as EFI_SIGNATURE_LIST. Only the new EFI_SIGNATURE_DATA

+  will be appended to the original EFI_SIGNATURE_LIST, duplicate EFI_SIGNATURE_DATA

+  will be ignored.

+

+  @param[in, out]  Data            Pointer to original EFI_SIGNATURE_LIST.

+  @param[in]       DataSize        Size of Data buffer.

+  @param[in]       NewData         Pointer to new EFI_SIGNATURE_LIST to be appended.

+  @param[in]       NewDataSize     Size of NewData buffer.

+

+  @return Size of the merged buffer.

+

+**/

+UINTN

+AppendSignatureList (

+  IN  OUT VOID            *Data,

+  IN  UINTN               DataSize,

+  IN  VOID                *NewData,

+  IN  UINTN               NewDataSize

+  );

+

+/**

   Compare two EFI_TIME data.

 

 

@@ -182,8 +225,8 @@ CompareTimeStamp (
   @param[out] VarDel                      Delete the variable or not.

 

   @retval EFI_INVALID_PARAMETER           Invalid parameter.

-  @retval EFI_SECURITY_VIOLATION          The variable does NOT pass the validation 

-                                          check carried out by the firmware. 

+  @retval EFI_SECURITY_VIOLATION          The variable does NOT pass the validation

+                                          check carried out by the firmware.

   @retval EFI_OUT_OF_RESOURCES            Failed to process variable due to lack

                                           of resources.

   @retval EFI_SUCCESS                     Variable pass validation successfully.

@@ -205,5 +248,6 @@ extern UINT8  mPubKeyStore[MAX_KEYDB_SIZE];
 extern UINT32 mPubKeyNumber;

 extern VOID   *mHashCtx;

 extern VOID   *mStorageArea;

-  

+extern UINT8  *mSerializationRuntimeBuffer;

+

 #endif